public static bool Phase1()
{
var cflowCleaner = new CflowDeobfuscator();
var mCounter = 0;
foreach (var mDef in AsmDef.FindMethods(m => true))
{
cflowCleaner.deobfuscate(mDef);
mCounter++;
Logger.VLog("Cleaned method: " + mDef.Name);
}
Logger.VSLog(string.Format("{0} methods cleaned...", mCounter));
return true;
}
void Find() {
var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true));
foreach (var type in module.Types) {
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
continue;
var resolver = new AssemblyResolver(type, cflowDeobfuscator);
if (!resolver.Detected)
continue;
var patcher = new MemoryPatcher(type, cflowDeobfuscator);
if (!patcher.Detected)
continue;
assemblyResolver = resolver;
memoryPatcher = patcher;
return;
}
}
List<TypeDefinition> findVmHandlerTypes()
{
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator(new NoMethodInliner());
foreach (var type in module.Types) {
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
continue;
requiredFields[0] = type.FullName;
if (!new FieldTypes(type).exactly(requiredFields))
continue;
cflowDeobfuscator.deobfuscate(cctor);
var handlers = findVmHandlerTypes(cctor);
if (handlers.Count != 31)
continue;
return handlers;
}
return null;
}
List<TypeDef> FindVmHandlerTypes() {
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator();
foreach (var type in module.Types) {
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
requiredFields[0] = type.FullName;
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
continue;
cflowDeobfuscator.Deobfuscate(cctor);
var handlers = FindVmHandlerTypes(cctor);
if (handlers.Count < NUM_HANDLERS)
continue;
return handlers;
}
return null;
}
